Logs indicate that all processes that require read access
have already been granted it.
Bug: 28760354
Test: build policy
Merged-In: I5826c45f54af32e3d4296df904c8523bb5df5e62
Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62
This change did not make it into core sepolicy in time for O.
The revert allows devices to define these selinux policies in
vendor-specific sepolicy instead of core sepolicy. It is
necessary because:
1. It is too late to change property_contexts in O.
2. Adding the netd_stable_secret prop to vendor sepolicy results
in a duplicate definition error at compile time.
3. Defining a new vendor-specific context (such as
net_stable_secret_vendor_prop) and applying it to
persist.netd.stable_secret results in the device not booting
due to attempting to apply two different contexts to the same
property.
Lack of the sepolicy no longer breaks wifi connectivity now that
IpManager no longer considers failure to set the stable secret to
be a fatal error.
Once all interested devices have adopted the vendor sepolicy,
this policy can safely be reinstated by reverting said vendor
sepolicies in internal master.
This reverts commit abb1ba6532.
Bug: 17613910
Test: bullhead builds, boots, connects to wifi
Change-Id: Idffcf78491171c54bca9f93cb920eab9b1c47709
Logs indicate that all processes that require access already have it.
Bug: 28760354
Test: build
Merged-In: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8
Change-Id: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8
Logs show that only dumpstate requires access.
avc: granted { read open } for comm="screencap" path="/dev/ion"
dev="tmpfs" ino=14324 scontext=u:r:dumpstate:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file
avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs"
ino=14324 ioctlcmd=4906 scontext=u:r:dumpstate:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file
Grant ion permission to dumpstate which uses it for screencap
feature.
Bug: 28760354
Test: build. Check logs.
Change-Id: I6435b7dbf7656669dac5dcfb205cf0aeda93991b
Logs indicate apps, system_server, and runas are the only
domains that require this permission.
Bug: 28760354
Test: check logs.
Change-Id: I93dc53ec2d892bb91c0cd6f5d7e9cbf76b9bcd9f
Bug: 62706738
Bug: 34133340
Test: Check that uid_time_in_state can't be read from
the shell without root permissions and that
"dumpsys batterystats --checkin| grep ctf" shows frequency
data (system_server was able to read uid_time_in_state)
Change-Id: Ic6a54da4ebcc9e10b0e3af8f14a45d7408e8686e
(cherry picked from commit 4dc88795d0)
A legitimate call to access(2) is generating a denial. Use the
audit_access permission to suppress the denial on just the access()
call.
avc: denied { write } for name="verified_jars"
scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
Bug: 62597207
Test: build policy
Test: The following cmd succeeds but no longer generates a denial
adb shell cmd package compile -r bg-dexopt --secondary-dex \
com.google.android.googlequicksearchbox
Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f
(cherry picked from commit 575e627081)
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class. As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11. Define this security class and its access vector, add
it to the socket_class_set macro, and exclude it from webview_zygote
like other socket classes.
Test: Policy builds
Change-Id: Idbb8139bb09c6d1c47f1a76bd10f4ce1e9d939cb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This adds parellel rules to the ones added for media_rw_data_file
to allow apps to access vfat under sdcardfs. This should be reverted
if sdcardfs is modified to alter the secontext it used for access to
the lower filesystem
Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
Bug: 62584229
Test: Run android.appsecurity.cts.ExternalStorageHostTest with
an external card formated as vfat
Signed-off-by: Daniel Rosenberg <drosen@google.com>
In libprocessgroup, we want to only send signals once to processes,
particularly for SIGTERM. We must send the signal both to all
processes within a POSIX process group and a cgroup. To ensure that
we do not duplicate the signals being sent, we check the processes in
the cgroup to see if they're in the POSIX process groups that we're
killing. If they are, we skip sending a second signal. This requires
getpgid permissions, hence this SELinux change.
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
Bug: 37853905
Bug: 62418791
Test: Boot, kill zygote, reboot
Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570
Add sepolicy to hal_wifi to access /proc/modules
to check if Wi-Fi driver is loaded.
Bug: 62013623
Change-Id: Ib700170095b183a1e0e6a36b64e7c65655174f21
This is used to persist RFC 7217 stable secrets across device reboots.
First submit caused a merge conflict. This revision replaces netd_prop
with a more unique name netd_stable_secret_prop.
Test: as follows
- Manually tested that stable_secret is generated on first use and
persists until reset of user data partition (factory reset).
- Tested that "adb shell getprop" was denied access to
persist.netd.stable_secret after running "adb unroot".
Bug: 17613910
Change-Id: I0a609c724799a15b1926e62534c16810d34f2275
This broke the build on master. See b/17613910#comment17
for details.
This reverts commit ef1fd98b6a.
Change-Id: I11f7d463061a9b6340c11827135586266e26f016
This is used to persist RFC 7217 stable secrets across device reboots.
Test: as follows
- Manually tested that stable_secret is generated on first use and
persists until reset of user data partition (factory reset).
- Tested that "adb shell getprop" was denied access to
persist.netd.stable_secret after running "adb unroot".
Bug: 17613910
Change-Id: I4dad00fb189d697aceaffae49ad63987c7e45054
This is to Allow commands like `adb shell run-as ...`.
Bug: http://b/62358246
Test: run commands manually.
Change-Id: I7bb6c79a6e27ff1224a80c6ddeffb7f27f492bb2
It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.
Bug: http://b/62297059
Test: dumpstate
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad
Owners are selected from top CL approvals or owners.
They will be suggested to review/approve future CLs.
Test: build/make/tools/checkowners.py -c -v OWNERS
Change-Id: I3d7f4c06209c22dea0d824429d68997f7179985f
Add policy changes to enable a new service. The service
is currently switched off in config, but this change is
needed before it could be enabled.
Bug: 31008728
Test: make droid
Merged-In: I29c4509304978afb2187fe2e7f401144c6c3b4c6
Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6
tombstoned allows dumpstate to install "intercepts" to java trace
requests for a given process. When an "intercept" is installed, all
trace output is redirected to a pipe provided by dumpstate instead
of the default location (usually in /data/anr or /data/tombstone).
Note that these processes are already granted "write" and "getattr"
on dumpstate:fifo_file in order to communicate with dumpstate; this
change adds "append" to the existing set of permissions.
Bug: 32064548
Test: manual
Change-Id: Iccbd78c59071252fef318589f3e55ece51a3c64c
Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.
Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.
Bug: 32064548
Test: Manual
Merged-In: I70a3e6e230268d12b454e849fa88418082269c4f
Change-Id: Ib4b73fc130f4993c44d96c8d68f61b6d9bb2c7d5
